Discussion Introduction Concepts Trends Q&A Do not cover: Protocol Specifications Vendor details Certificates
Background Has existed by vendors: MS update, Sicap Client-Server based technology. Application protocol. Brings features as: o Updates: remote configuration/provision, backup. o Monitor: license, troubleshoot and diagnose. o Accounting: logging and reporting o Tracking: GPS and bread crumb mapping.
Approaches Vendor specific: Smart Message text, NOK- ERIC OTA, etc. OMA groups: CD, inter-op, DM, etc. Models: SaaS, On-site, mixed. BYOD: Hybrid employee/corporate mix.
BYOD From recent AT&T survey: 40% of small business employees use smartphones for work and two-thirds use tablets…: BYOD survey: (source: Ponemon Institute): 51% of Organizations lose data through mobile devices.
Challenges Centrally Manage Security: BYOD identity, access rights, privileges, etc. Scalability: Apps, Devices, Users. Complexity: Policies Vendor Variances: iOS, Android, ActiveSync, Windows Phone, Black berry etc. Enterprises: requirements and use case life cycles. Roles, multi-tenants. Compliances !
Push Notification Device needs to have match three items in order for a push notification to trigger an MDM response, viz; The Device Token (without which the notification will never reach the device), and the Push Magic token (without which the MDM client will just discard the notification). Finally, the Subject Name / User ID field in the push notification certificate used to sign the notification must match the Topic field in the MDM profile.
Commands First, Device must make persistent connection to APNS Server. Then for every MDM server command:
iOS MDM commands
iOS security model
Example: File key wrapping (iOS)
Sample: Evil Maid attack
Specs For PUSH: Apple: gateway.push.apple.com port 2195 Devices: TCP port 5223 MDM port: defined by MDM profile
MDM limitations User can terminate MDM relationship. Multi-user model not supported. Jailbreak cannot be detected. Location service not available. App features very minimal. Security: command auth optional, accepts any cert with trusted root, etc. Malware install attacks: push webclip, etc., DoS Attacks. Delays and bugs and etc. MDM profile issues…